By Javvaad Malik, Co-founder, Security B-Sides London and security awareness advocate for KnowBe4
QR codes have been around for many years. While they were adopted for certain niche uses, they never did quite reach their full potential. They are a bit like Rick Astley in that regard, really popular for one song, but well after the boat had sailed. Do not get me wrong, Rick Astley achieved a lot. In recent years, he has become immortalized as a meme and Rick roller, but he could have been so much more.
However, in recent years, with lockdown and the drive to keep things at arms length, QR codes have become an efficient way to facilitate contactless communications, or the transfer of offers without physically handing over a coupon. As this has grown in popularity, more people have become familiar with how to generate their own QR codes and how to use them as virtual business cards, discount codes, links to videos and all sorts of other things.
As with most things, once they begin to gain a bit of popularity, criminals move in to see how they can manipulate the situation to their advantage. Recently, we have seen fake QR codes stuck to parking meters enticing unwitting drivers to scan the code, and hand over their payment details believing they were paying for parking, whereas they were actually handing over their payment information to criminals.
The rise in QR code fraud resulted in the FBI to release an advisory warning against fake QR codes that are being used to scam users. In many cases, a fake QR code will lead people to a website that looks like the intended legitimate site. So, the usual verification process of checking the URL and any other red flags apply.
Moving Beyond Fake Websites
There are many paid and free services that will allow you to create your own QR code and this can open up many opportunities for more elaborate attacks or techniques.
A QR code can create a pre-canned SMS message ready for you to send. In this example, it is set to send the message “Earl grey, hot” to the phone number 123456789. I hope that this is not someone’s real phone number because they would definitely wonder why Picard is continually sending them orders. But what if you change the number to be sent to a premium rate number? Or used it as an SMS way to DDoS someone.
This code will compose a pre-canned tweet ready for you to send. While this may be good for competitions where you need to scan and tweet out something positive about a particular product or brand to win a prize, it can be easy to slip something not so savory into the content.
This one shares the public address of a crypto wallet. If you have a wallet on your phone and scan it, you can easily send money.
This is perhaps my favorite type of code. One which allows someone to quickly and easily connect to Wi-Fi. While that may be convenient in a coffee shop, or to provide guests access to your network, it can be easily abused and used to entice users into connecting to a malicious network.
There are other types of QR codes, but you get the idea – and all of these are relatively trivial to repurpose for malicious activities.
Fortunately, in order for these scams to be successful, criminals have to physically tamper with or place their own QR code, which comes at a risk to them. Also, none of these will automatically trigger an action on a phone, rather it will display a notification as to what the intended action is.
So just like email phishing, timely and appropriate security awareness training can be put into practice. Teaching users to always be mindful and vigilant whenever payments, credentials or personal details are involved online is critical.
Stay safe, and I will leave you with this final QR code to share my wisdom. Scan it to be enlightened.